Internationalized Domain Names (Idns)
Total Page:16
File Type:pdf, Size:1020Kb
Configuring for Email Address Internationalization (EAI) Technical Tutorial 16 November 2020 Panelist ¤ Mohamed Elbashir, Universal Acceptance (UA) Program Manager ¤ Mark Elkins, CEO Posix Systems, South Africa and UA Ambassador | 2 Agenda ¤ Tutorial Target Audience and Objectives ¤ Key Fundamental Aspects: Unicode, IDNs, UA ¤ Key Fundamental Aspects: Email ¤ Email Address Internationalization (EAI) ¤ Demonstration: Setup ¤ Demonstration: Action! ¤ Considerations Deploying EAI: Case Mapping and Matching ¤ Considerations Deploying EAI: Spam ¤ Considerations Deploying EAI: MX Consistency, Mailing Lists, Delivery Notifications, and User Accounts | 3 Tutorial Target Audience and Objectives ¤ Target Audience: - IT Managers - System Administrators of Email Servers ¤ Objectives: ¡ Understand base key concepts related to internationalized email. ¡ Understand Email Address Internationalization (EAI) ¡ Configure Postfix and Courier to support EAI. ¡ Understand issues regarding tHe deployment of EAI. | 4 Key Fundamental Aspects: Unicode, IDNs, UA | 5 Unicode ¤ Encoding glypHs into codepoints. ¤ In specifications, codepoints are sHown in hex using the U+XXXX notation. ¤ Codepoints are typically carried using tHe UTF-8 (Unicode Transformation Format, 8 bit) format. ¡ Variable number of bytes for a single codepoint. ¡ ASCII is used as is. ¡ Gold standard for carrying Unicode codepoints in web, protocols, etc. | 6 Unicode ¤ There are multiple ways to use a glypH: ¡ “è” = U+00E8 ¡ “e`” = “è” = U+0065 U+0300 ¡ Normalization is a process to insure that no matter the user type, the end representation will be the same. • For the two entries above, Normalization Form C (NFC) will generate U+00E8 for botH. | 7 Domain Names ¤ A domain name is an ordered set of labels: a.b.c.d ¤ A top-level domain is tHe rigHtmost label: “d” in left-to-rigHt scripts. ¤ The Domain Name System (DNS) is the distributed database and service for querying domain name records. cs.university.ac.za cs.university.edu.sd | 8 Domain Names ¤ A domain name may Have multiple DNS records sucH as: ¡ IPv4 address for that domain name. ¡ IPv6 address for that domain name. ¡ Hostname of tHe email server responsible for tHat domain name. ¡ ... ¤ A zone is tHe list of domain name records – called Resource Records (RR) – for the labels under another label (a bit simplified…) | 9 Internationalized Domain Names (IDNs) ¤ Internationalized Domain Names (IDNs) enable the use of non-ASCII characters for any label of a domain name. ¡ Not all labels of a domain name may be internationalized. ¤ Example: exâmple.ca ¤ User uses tHe IDN version, but tHe IDN is converted into ASCII for DNS resolution. ¡ exâmple => exmple-xta => xn--exmple-xta ¡ The xn-- prefix is added to identify an IDN. | 10 Internationalized Domain Names (IDNs) ¤ Example process of using an IDN: ﻊﻗوﻣ . برﻋ User enters in a browser: Http://exâmple.com or ¡ ¡ Browser does normalization on tHe user entry. ¡ Browser converts exâmple.ca in an ASCII compatible representation called Punycode [RFC3492], and adds ‘xn--’ in front of it. • exâmple.ca becomes: xn--exmple-xta.ca ¡ Browser calls tHe DNS to get tHe IP address of xn-- exmple-xta.ca ¡ Browser connects to tHe HTTP server at tHe received IP address. | 11 Expansion of the DNS Pre-2009 2009-2016onward 2013-onward Generic TLDs IDN ccTLDs New gTLD Program (gTLDs) (in non-Latin scripts) New and Long (22 total) gTLDs ﻟارﻐﻣب . ﺻﻣر . .com .edu (Over 1,200 total) ﻧوﺗس . زﺟ ا ﺋ ر . .org .net روﻣ ﯾ ﺗ ﺎ ﻧ ﯾ ﺎ . وﺳ د ا ن . .bank .africa .site .aero .asia .рф .台灣 .joburg .global .mtn .mobi .travel .한국 .ଭାରତ .rio .vote .sky .info IDN gTLDs Country Code TLDs (in non-Latin scripts) (ccTLDs) .संगठन .在线 (two-character ASCII ccTLDs) .닷넷 .ストア дети . ﺑﺷ ﺔﻛ . eg .za. .ke .sd | 12 Internationalized Domain Names (IDNs) ¤ The protocol for handling IDNs is named IDN for Applications (IDNA). ¡ Two versions: IDNA2003 and IDNA2008. THe latter (IDNA2008) is tHe one currently used. ¤ U-label is tHe Unicode native representation of an IDN ﻣ لﺎﺛ label: example or ¤ A-label is tHe Punycode representation of an IDN label: xn--exmple-xta or xn--mgbh0fb | 13 Universal Acceptance (UA) ¤ UA is about How to appropriately support internationalized identifiers, as well as new and long TLDs. ¡ Internationalized identifiers: • Internationalized Domain Names (IDN) • Email Addresses Internationalization (EAI) | 14 Universal Acceptance (UA) Domain Names: § New short top-level ASCII domain names: example.sky § New long top-level ASCII domain names: example.africa § Internationalized Domain Names (IDNs): डाटा.भारत Email Addresses: § ASCII@ASCII (new and long TLD) [email protected] § ASCII@IDN marc@société.org § Unicode@ASCII 测试@example.com § Unicode@IDN अजय@डाटा.भारत یا - لﯾﻣ @ ﺛﻣ لﺎ . ﻊﻗوﻣ Unicode@IDN; right-to-left scripts § Accept Validate Process Store Display | 15 | 16 Key Fundamental Aspects: Email | 17 Email Stack for UA Consideration Webmail: - Gmail - Coremail - Yandex MXAs - Axigen - Courier - Dovecot - Postfix - Zimbra Components of Email System: Mail User, Submission, Transfer, Delivery Agents, and Mail Service Provider | 18 Email Terminology ¤ Terminology: ¡ Mail User Agent (MUA): • The software used by the user wHo sends and receives email. • WitH web mail, tHe MUA is an application run in a browser environment. ¡ Mail Transfer Agent (MTA) • A software, usually on servers, tHat transfers mail on behalf of the user to another MTA. ¡ Mail Submission Agent (MSA) • A software, usually on servers, wHicH receives tHe email from the MUA. Typically, this function is bundled with an MTA. | 19 Email Terminology ¤ Terminology: ¡ Mail Delivery Agent (MDA): • A software, usually on servers, wHicH receives tHe email from an MTA and is the final destination for the email. • It typically stores the email in a file (or a database) and waits for the MUA of the destination user to fetcH the email. Typically, this function is bundled witH an MTA. | 20 Email Terminology ¤ For example, Postfix is typically used as an MTA, MDA, and MSA. ¤ For more details, see UASG012 report. ¤ For simplicity, MSA and MDA are not sHown in the next slides. Sending an email | 21 Email: How To Find the Destination Server ¤ When sending email to [email protected], tHe metHod to find the destination email server is by querying the DNS for the MX records of the domain. ¤ For example, the MX records for example.com could be: ¡ MX 10 server1.example.com ¡ MX 10 server2.example.com ¡ MX 20 server3.example.com | 22 Email: How To Find the Destination Server ¤ The sender email server would then try connecting to either server1 or server2 since they have same priority (10). If none respond, it would tHen try server3 since it Has a lower priority (20). ¡ The higHer number means lower priority. | 23 Email Delivery Path Using email software for both users. Using web email for both users. ¤ Mix is also very common: Email software for one user, web email for other user. ¤ Mail server is the MTA; the source and destination servers are MSA and MDA, respectively. ¤ Mail User Client can be on desktop, laptop, or mobile. | 24 Email Delivery Path Sender (Laptop/Web-mail) User Authentication over TLS (STARTTLS) Port 25 Firewall – user can not sent to the global Internet over port 25 Deterministic rather than opportunistic security using DANE User authentication on port 995 (pop3) or 993 (imap) Receiver (Laptop/Web-mail) | 25 Email Delivery Path Users l should not have port 25 access to the general Internet to reduce opportunity of sending SPAM & Virus’ e.g. via a Virus on their machine. l All interaction to their organisations mail servers must be done using SSL/TLS. TLS Certificates can be obtained for free (Let’s Encrypt) SPF Records in the Senders DNS specify which SMTP servers can be used for that users domain. “v=spf1 a:smtp.café.capetown -all” E-mail received by anyone that sees this rule broken can drop those emails. Note: There can only be one SPF record per Domain. | 26 Email Delivery Path Mail Servers l Should have their own TLS Certificate l Zone should be DNSSEC Signed l Should have a DANE/TLSA checksum Record (DNS-based Authentication of Named Entities /Transport Layer Security Authentication) e.g for Mail use... “3 1 1 789...” l Mail is then Deterministically rather than Opportunistically delivered l DKIM - Sign outbound emails, put public key in DNS l (detects changes in transit) DomainKeys Identified Mail l Can check incoming emails for SPF and DKIM violations l Can add a DMARC DNS record to specify a senders policy Domain-based Message Authentication, Reporting & Conformance | 27 Email Delivery Path Considerations ¤ Each user of an email communication chooses His own email environment/software/setup independently. ¤ The sender does not know the receiver email environment, meaning: ¡ The sender does not know wHicH protocols are used to deliver email. ¡ The sender does not know if the receiver email supports some features. | 28 Email Delivery Path Considerations ¤ The delivery goes througH a cHain of email servers. ¡ The number of email servers is unknown. ¡ The actual cHain of servers: • Is unknown at the beginning. • May change for any subsequent email sent. ¡ The features supported by eacH email server is unknown to the path or from the sender. ¡ Features are only discovered one hop at a time (i.e. the next hop). | 29 Email Address Internationalization (EAI) | 30 Email Address Internationalization (EAI) ¤ Email syntax: leftside@domainname ¤ Domain name can be internationalized as an IDN (U- labels or A-labels). ¤ Left side (also known as local part/mailbox name) with Unicode (UTF-8) is EAI. ¤ Side effect: ¡ Mail Headers need to be updated to support EAI. ¡ Mail Headers are used by mail software to get more information on How to deliver email. | 31 Email Address Internationalization (EAI) ¤ Not all email servers support EAI, so a negotiation protocol is used to only send EAI when the target server supports it. If not, tHen it falls back and returns an ‘unable to deliver’ message back to the sender.